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ABSTRACT 



Methods and apparatus for establishing secure wireless links 
between a handset and a base station in cordless telephone 
systems are described. A method of generating a secure 
wireless link between a handset and a base station includes 
initiating a linking procedure, generating a security code, 
trasmitting the security code from a sound transmitter, 
receiving the security code at a sound receiver and then 
establishing a radio frequency link between the handset and 
the base station utilizing the security code. A cordless 
telephone system capable of generating a secure wireless 
link includes both a handset and a base station. The handset 
includes a control circuit, an rf transmitter and an rf receiver 
coupled to the control circuit along with a sound receiver 
also coupled to the control circuit. The base station includes 
a control circuit, a code generation circuit coupled to the 
control circuit, a sound transmitter coupled to the control 
circuit for transmitting a code generated by the code gen- 
eration circuit, and an rf transmitter and an rf receiver 
coupled to the control circuit, 

9 Claims, 4 Drawing Sheets 
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METHOD AND SYSTEM WHICH USES 
SOUND WAVE BASED COMMUNICATION 
TO GENERATE A SECURE WIRELESS LINK 
BETWEEN A HANDSET AND BASE STATION 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

This invention relates generally to wireless communica- 
tion systems that includes security arrangements for pre- 
venting any unauthorized use and has particular applicability 
to cordless telephone systems. 

2. Description of the Related Art 

The cordless telephone has become a popular consumer 
good. The cordless telephone allows a user to untether 
herself from a wired connection to her local telephone line. 
Typically a cordless telephone is comprised of two units: a 
base unit and a handset, both of which are radio frequency 
("rf") transceivers. The base unit connects to the public 
switched telephone network, typically using a standard 
RJ-11 connector. The base unit provides a wireless connec- 
tion or a wireless communication link through the handset. 
The handset is capable of receiving and transmitting signals 
over a wireless link to the base unit. The base unit typically 
includes an antenna, a transmitter and a receiver. The 
handset typically includes a speaker, a microphone, an 
antenna, a transmitter and a receiver. 

In operation, to place a telephone call from a cordless 
telephone handset, the handset is enabled causing a control 
signal to be generated at the handset and transmitted to the 
base unit. The base unit receives and detects the control 
signal and in response thereto seizes the telephone line. 
Dialing signals and audio signals from the handset are 
transmitted (using various known transmission schemes and 
formats) to the base unit which then transmits them over the 
telephone line. The base unit receives audio information 
over the telephone line and then transmits that information 
to the handset. 

With the ever increasing use of cordless telephones and 
the limited frequency band available for transmission 
between handsets and base stations, many users are assigned 
the same frequencies for transmitting and receiving. People 
cognizant of this fact have used handsets to place unautho- 
rized telephone calls through the base stations of other users. 
With the range of communication between a base unit and a 
handset typically extending at least a few hundred feet, it is 
quite feasible that a person may travel around slowly in an 
automobile with a handset unit turned on until she receives 
a dial tone and then places a call over another person's 
telephone lines. 

In order to prevent the placing of unauthorized telephone 
calls, various systems have been developed to attempt to 
ensure that unauthorized telephone calls are not placed. One 
such system involves a control code that is determined by 
switches manually preset in both the handset and the base 
unit. Only after receipt of a signal with this control code 
from the handset and the favorable comparison thereof with 
the control code set at the base unit, docs the base unit allow 
the telephone line to be seized to place the call from the 
handset. The possibility of mismatching the switch settings 
in the handset and the base unit is high, however, and the 
number of switches is therefore usually kept to a small 
number. Unfortunately this increases the opportunity for an 
unauthorized user to correctly determine the control code. 
Additionally, varying the switch setting between units dur- 
ing production increases production costs. 
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Some cordless telephone systems are designed to operate 
such that the handset and base station never come into 
physical contact. However, to achieve a secure wireless link, 
both the handset and the base unit need to know the same 

5 control or security code. If the system is designed such that 
this same security code is used by all base units in 
production, then unauthorized users can easily communicate 
with a base station and make unauthorized calls. Again, 
programming a unique security code into each handset and 

10 base unit pair at the factory can add significantly to produc- 
tion costs. It also precludes multi-handset unit systems and 
precludes the use of additional handsets with the base 
station. 

In another security system for use with cordless 
is telephones, the radio frequency link between the base unit 
and the handset is used to set the security code. Sometimes 
this is done at a lower power transmission to help reduce the 
chance of an unauthorized user receiving this "set up" 
transmission. However, even in the lowest available power 
20 setting, most base units still transmit in a range that far 
exceeds the buildings in which they are used and thereby 
potentially allows unauthorized users to intercept this com- 
munication. 

In still another security system for use with cordless 
25 telephones, to prevent an unauthorized handset from obtain- 
ing dial tone from a base unit, a predetermined security code 
stored in the base unit is transferred to the handset while the 
handset is located in a mating cradle in the base unit. The 
battery that allows for operation of the handset while remote 
30 from the base unit is normally charged when the handset is 
placed in this mating cradle. The direct current charging path 
established for charging of the battery also includes transfer 
circuits in the base unit and the handset to respectively 
transmit and receive the security code. Such a system is 
35 described in U.S. Pat. No. 4,736,404, issued Apr. 5, 1988. 

SUMMARY OF THE INVENTION 

All of the foregoing described systems have addressed the 
problem of preventing unauthorized users from obtaining a 

40 dial tone and placing a call through another base unit. 
Another problem exists in the area of cordless telephones, 
and that is the problem of eavesdropping on the transmission 
between the base unit and the handset, Therefore, it would 
also be desirable to have the radio frequency transmissions 

45 between the base unit and handset be made more secure. 
The invention is generally directed to methods and appa- 
ratus for establishing secure wireless links between a hand- 
set and a base station. One embodiment of the invention 
finds particular application to cordless telephone systems. 

50 One aspect of the invention encompasses a method of 
generating a secure wireless link between a handset and a 
base station. The method includes initiating a linking 
procedure, generating a security code, transmitting sound 
based on the security code at the base station, receiving the 

55 sound at the handset, and then establishing a radio frequency 
link between the handset and the base station utilizing the 
security code. 

In another aspect of the invention, a cordless telephone 
system capable of generating a secure wireless link includes 

60 both a handset and a base station. The handset includes a 
control circuit, a sound receiver, an rf transmitter, an rf 
receiver and a keypad, all coupled to the control circuit. The 
base station includes a control circuit, a code generation 
circuit coupled to the control circuit, a sound transmitter 

65 coupled to the control circuit for transmitting a code gen- 
erated by the code generation circuit, and an rf transmitter 
and receiver coupled to the control circuit. 
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In a further aspect of the invention, the code generation tions could be exchanged, and other security arrangements 
circuit includes a pseudo random number generator. could be transmitted between the handset and base unit as 

are known to those of ordinary skill in the art. 
BRIEF DESCRIPTION OF THE DRAWINGS Fia x mustrates a cordless telephone system generally 

The features and advantages of the invention will become 5 indicated as 100 which incorporates the present invention, 

more apparent from the detailed description set forth below ^ cordless telephone system 100 includes a handset umt 

when taken in conjunction with the drawings wherein like 50 and a base umt 10 ^ handset 50 and the base unit 10 

parts are identified with like reference numerals throughout communicate via a radio frequency communication ("rf ') 

and wherein: Hnk m 

FIG. 1 is an exemplary cordless telephone system in 10 ^ base ^ 10 * *rP™XLy connected through a hard 

accordance with aspects of the present invention; ^ connection 25 to the public switched telephone network 

- . i.. i j- JL • 20. Base unit 10 includes an antenna 29 for transmitting and 

FIG. 2 is a block diagram of handset and base unit receivi rf si h A ^ transmitter 27 such * s a 

according to the present invention: i • • i j j • *i_ i_ •* ^ u i 

& y 9 speaker, is included in the base unit. The base unit also 

FIG. 3 is a flow diagram of a process for establishing a is mc i U( jes an initialization button 96 and can include other 

secure wireless link; and buttons or contact switches to allow a user to interact with 

FIG. 4 is a flow diagram of a process for establishing a the device. A cradle 99 in the base unit is configured to 

secure wireless link for a second handset. receive the headset 50. 

m The handset 50 includes an antenna 59 for transmitting 

DETAILED DESCRIPTION OF THE 20 and 

receiving rf signals. The handset 50 further includes a 

PREFERRED EMBODIMENT sound transmitter 58 such as a speaker and a sound receiver 

In a cordless telephone system where the base unit and 57 sucn as a microphone. Typically, the handset 50 includes 

handset need to have or "know" the same security code, it a ke y P ad 60 of the type typically included on telephones for 

is desirable to be able to communicate a selected security 25 inputting information into the handset 50 and a display 63 

code from the base unit to the handset, or vice versa, in a for transmitting information to the user. Typically, the hand 

secure manner. This ability can be useful, for example, when set 50 is configured to rest in the cradle 99 of the base unit 

a new handset and base unit are first put into service, when 10 wnen tne nand ^ 50 ^ not in use. However, in some 

a handset is replaced with a new unit, and when additional cordless telephone systems, particularly those in which the 

handsets are added to operate with an existing base unit. The 30 base unit is installed in a remote or not easily accessible 

security code can be utilized to prevent unauthorized hand- location, cradle 99 is not included. 

sets from utilizing the telephone connection of the base unit, FIG. 2 is a functional block diagram representation of a 

as part of an encoding scheme for encoding transmissions cordless telephone system in accordance with principles of 

between the handset and the base unit to eliminate the invention. However, the use of the invention is not 

eavesdropping, or as the first step in a two or more stage 35 limited to any specific cordless telephone system and is 

process wherein the security code is used to verify an initial applicable to the various cordless telephone systems known 

link between a handset and a base unit with subsequent to those of skill in the art. 

communication over the initial link utilized to transmit a As shown in FIG. 2, the cordless telephone system 
more secure and complex code and/or security arrangement generally includes a base unit 10 and a handset 50. Included 
between the two units. 40 in the base unit 10 is a channel select circuit 11 and a code 
In an embodiment of the invention, during system generation circuit 12. The channel select and code genera- 
initialization, such as when the base unit is first installed, or tion circuits can be implemented as a non -volatile memory, 
when a new handset is to be initialized with an existing base As will be apparent to those skilled in the art, the channel 
unit, the base unit and handset first exchange a security code. select and code generation circuits could alternatively be 
The security code is exchanged in a manner which mini- 45 implemented in the handset unit 50. 
mizes the possibility of it being received or intercepted by a The code generation Circuit 12 can alternatively be imple- 
third party. Specific methods and apparatus for accomplish- mented as a random or pseudo random number generator, 
ing this exchange are described below in more detail. After The random number can be generated when the base station 
the security code has been exchanged, it is used by the base is powered up for the first time or when put into a code 
unit to verify communications received from the handset. 50 generation mode by the user. 

That verification method can be a simple password, but it The control circuit 13 is coupled to both the channel select 

also can be used as an encryption key for the actual circuit 11 and the code generation circuit 12. The control 

information transmitted between the handset and base unit, circuit 13 processes the appropriate channel selection and 

thereby making it much more difficult for eavesdroppers to appropriate security code data selected for use in the base 

obtain any useful information. 55 unit 10. The control circuit can be implemented through the 

As a further part of the initial set up operation, after the use of a micro processor, 
base unit and handset have exchanged a security code, they The base unit 10 also includes a telephone circuit 17 that 
can then use this initial secure level of communications connects an rf transmitter 18 and an rf receiver 19 to a 
based upon the security code to exchange much more central telephone office through TIP and ring lines 171 and 
elaborate security codes and/or communication protocols. 60 172 respectively. The transmitter 18 and the receiver 19 
For example, the initial security code could be a simple respectively transmit to and receive rf signals from the 
alpha numeric code which is used as both a password and handset 50 with the control circuit 13 providing the appro- 
encryption key, Further set up information could then be priate frequency channel information for this communica- 
exchanged to establish more elaborate security precautions tion over control line 131. The receive and transmit signals 
over the communication link using the password and 65 of the base unit 10 are coupled to a duplexer 20 which 
encryption. For example, more complex security codes permits the transmitter 18 and receiver 19 to both operate 
could be exchanged, frequency hopping patterns and dura- through antenna 21 while stopping the output power of 
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transmitter 18 from being coupled directly into the input of first powering on the unit, or, alternatively, by pressing an 

the receiver 19. initialization button, or other suitable method. The handset 

A charge and cradle status circuit 14 is also connected to then operates or carries out a series of instructions utilizing 

the control circuit 13. This circuit provides a charging path the circuit 53 under the of a software or 

for charging a battery 54 in the handset unit 50 through a 5 firmware program as described below, 

charge contact interface, including contacts 141, 142, 511 In Dlock 35 <* the handset transmits a signal over the rf link 

and 512 from a power circuit 116 and it monitors cradle t0 the base unit utilizing the security code. For this initial 

status circuitry to determine when a handset is in the cradle. establishment of the rf link, the security code can be used as 

The speaker (sound transmitter) 27 is connected to the P" 1 of the hand shake P rotoco1 and/or ^ m encoding key. 
control circuit 13. The speaker is capable of transmitting the 10 In block 360 > in response to the transmission from the 
security code generated by the code generation circuit 12 to handset, the base unit 10 transmits additional security infer- 
tile handset within a limited range. mation to the handset 50 via the rf link, also utilizing the 

Contained in the handset unit 50 is a charge circuit 51 M . °[ a ^ nd shake routine and/or as an 

which provides a charging path through the power circuit 16 „ ? nC ° dl °S ° bl °<* 38 ° 11 b ° t th theba f umt . and j he 

to charge the battery 54 by the charge contact interface. A 15 handset utilize he additionally transmitted security infor- 

control circuit 53 in the handset unit 50 interfaces with the matl0n tc L est f abhs !l * mo ^ scc * re rf c°™ication hnk 

circuit 51 over line 513 between the two. The additional security information can 

„, , . . * , . , , . include a more complex security code, hopping patterns and 

The control circuit 53 can be implemented by a micro- durations and olher security arrangements. 

r CeS 7'^ C CO r tr0 <w Ult " communicates with a 20 M was indicated ab ^ invemion can be . 

key pad 60 via line 61 for receiving user input. Special meQted ^ the ^ m{x and tfae handset esscnt £ u 

function keys can be included to begin the initiation reyersi roles , n ^ embodiment> the code /_ 

sequence described below. The control circuit 53 includes a erati ^ {& , ocated iQ ^ A ^ * Qr 

memory located therein for storing for example, the othef audk) receiyer fa {oc ^ d Qn ^ for 

received security code. A microphone 57 and a speaker 58 ■>* tU ~ j * j u *u i • .u 

., j. • . j . ,J r t , Cl • : m 25 receiving the security code transmitted by the speaker in the 

provide audio input and output for the rf transmitter 55 and handset 

rf receiver 56, respectively. The rf output of the transmitter «».'., . . 1 . „ , , . . 

_ . • t f MM - . er i a * * en When the base umt is to be installed at a location that is 

55 and input from receiver 56 are coupled to an antenna 59 ., , , t , 

t , . „ ie <T t-u„ • i * „ , fi not easily accessible, an alternative embodiment of the 

through a duplexer 157. Ine microphone 57 also functions . 4 . J , \ , , , ... . 

to receive transmissions from the speaker 27 of base unit 10. 30 T ™ ™l t em P lo y ed as w11 be 

Alternatively, a separate microphone can be included in the deSCTlbed Wtb referenc6 t0 nG - 4 ' 

handset for that purpose ' n "lock 410, a secure RF link is established between the 

„ . . • * . « • 1 . i . base unit 10 and a first handset 50. The establishment of this 

During normal operation the base unit 10 and the handset ^ RF ^ caQ be a lished as was described above 

fiTiTu a l e in ^ !f F !, 0eS c a n , Dgt u e refercacc t0 ™. 3. In addition, this RF link is 

rf link 110, both the base unit 10 and handset 50 need to be 35 fefabl established ior t0 ^ilkm of the base unit in 

S U SamC COmmUDIC 00 a SCCUnty Pr °~ ^ inaccessible location. 

_ ' . . In block 412, in response to user input such as the pressing 

Referring now to FIG. 3, a method of operation of the 0 f an initiaUzation button or the entering of a predetermined 

invention with reference to the block diagram of FIG. 2 will sequence of keys on the keypad 60, the first handset 50 

be provided. Though the following description has the base « transmits an initialization signal to the base station 10. This 

unit 10 begin the initiaUzation, the method can also be approach fe particular iy advantageous when the base station 

implemented with the base unit and handset switching roles. has been installed in an inaccessible location. 

In block 310, the initialization sequence is begun. When i n block 414, in response to the initialization signal, the 

the cordless telephone system is first installed, or when a base station 10 generates a security code utilizing the code 

new handset is to be used with the base unit, the initiaUzation generation circuit. The base station 10 then transmits the 

sequence is carried out. The initiaUzation sequence can be security code via the speaker 27 to the handset which is 

started by the user interacting with the base unit, such as being added to the system (the second handset), 

pressing the initialization button 96 (see FIG. 2) or a series In block 418 the second handset receives the secufit via 

of buttons on the base unit. Alternatively, the initialization its microphone. In block 420, the second handset transmits 

sequence can begin automaticaUy upon power up of the base a signal over the RF link to the base station utilizing the 

unit. The mitiahzation sequence depicted in FIG. 3 can be security code. For this initial estabUshment of the RF link, 

contra led through software or firmware running on the for example, the security code can be used as part of the 

control circuit 13 of the base unit 10. handshake protocol and/or as an encoding key. 

In block 320 the code generation circuit 12 generates a 55 In block 42 2, in response to the transmission from the 

security code. As was discussed above, the security code can second handset, the base unit 10 can transmit additional 

be generated using a table stored in non-volatile memory or security information to the handset via the RF link, also 

a pseudo random generator. In block 330 the security code utilizing the security code as part of a handshake routine 

is transmitted via the speaker 27 of the base unit. and/or as an encoding key. 

The security code can be transmitted via the speaker 27 in 60 l n block 424, both the base unit and the second handset 

any appropriate sound format. For example, the transmission utilize the additionally transmitted security information to 

can take the form of DTMF tones, amplitude modulation, estabUsh a more secure RF communications hnk between 

pulse width modulation, pulse position modulation or the the two. Additional security information can include a more 

hke. complex security code, hopping patterns and durations and 

At block 340 the transmitted security code is received by 65 other security arrangements, 

the microphone 57 of the handset. As with the base unit, the A significant aspect of the invention is the abiUty to 

handset can be placed in an initialization mode directly upon remotely exchange initial security related data, wherein the 
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handset is not in physical contact with the base unit while 
minimizing the risk of reception by a third party. 

Another aspect of the invention is that the initial security 
code can be rather short, particularly when it is utilized in a 
method wherein more complex security information and 
arrangements are later transmitted over the rf link. Keeping 
the initial security code simple minimizes the length of the 
sound transmission. The robustness of the security system is 
a significant improvement over prior art systems because the 
initial security code is transmitted in a way that is not easily 
detectable by third parties. 

Although specific implementations and operation of the 
invention have been described above with reference to 
specific embodiments, the invention may be embodied in 
other forms without departing from the spirit or central 
characteristics of the invention. The described embodiments 
are to be considered in all respects only as illustrative and 
not restrictive. The scope of the invention is indicated by the 
appended claims rather than by the foregoing description. 
All changes which come within the meaning of equivalency 
of the claims are to be embraced within their scope. 

What is claimed is: 

1. A method of generating a secure wireless link between 
a handset unit and a base station unit, the method compris- 
ing: 

transmitting a wireless initialization signal from a first 
handset unit to a base station unit generating a security 
code; 

transmitting the security code from a sound transmitter at 
the base station unit in response to the initialization 
signal; 

receiving the security code at a sound receiver at a second 
handset unit which is to be initialized, wherein the 
second handset unit is remote from the base station 
unit; and 

establishing an rf link between the second handset unit 
and the base station unit utilizing the security code. 
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2. The method of claim 1 wherein said generating step is 
initiated upon applying power to the system. 

3. The method of claim 1 further comprising transmitting 
additional security information over the established rf link 

5 utilizing the security code. 

4. The method of claim 1 wherein the step of generating 
the security code further comprises generating a pseudo 
random number. 

5. The method of claim 1 wherein the step of generating 
the security code comprises selecting an entry from a table. 

6. A cordless telephone system capable of generating a 
secure wireless link between a handset unit and a base 
station unit, the system comprising: 

3 s a first handset unit including means for transmitting a 
wireless initialization signal to a base station unit; 
a base station unit including a sound transmitter, means 
for generating a security code and means for transmit- 
ting the security code from the sound transmitter in 

20 response to the initialization signal; and 

a second handset unit including a sound receiver, means 
for receiving the security code at the sound receiver at 
the second handset unit which is to be initialized when 
the second handset unit is remote from the base station 

25 unit, and means for establishing an rf link between the 
second handset unit and the base station unit utilizing 
the security code. 

7. The system of claim 6 wherein said base station unit 
further comprises means for transmitting additional security 

30 information over the established rf link utilizing the security 
code. 

8. The system of claim 6 wherein said means for gener- 
ating a security code is configured to generate a pseudo 
random number. 

35 9. The system of claim 6 wherein the means for generating 
a security code comprises a code generation circuit. 

* * * * * 
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